Date: Mon, 20 Sep 1999 16:27:42 +0200 From: Eivind Eklund <eivind@FreeBSD.ORG> To: Brett Glass <brett@lariat.org> Cc: security@FreeBSD.ORG Subject: Re: Best way to do FTP with NAT and firewall? Message-ID: <19990920162742.A12619@bitbox.follo.net> In-Reply-To: <4.2.0.58.19990917090848.04e582e0@localhost>; from Brett Glass on Fri, Sep 17, 1999 at 09:16:11AM -0600 References: <4.2.0.58.19990917090848.04e582e0@localhost>
index | next in thread | previous in thread | raw e-mail
On Fri, Sep 17, 1999 at 09:16:11AM -0600, Brett Glass wrote: > I've just set up a firewall for a client using ipfw and natd. Trouble is, his software seems to be particularly insistent on doing active, rather than passive, FTP. This poses a problem, of course, because a remote system can't open just data sockets to one behind the firewall due to NAT. > > I've worked with plenty of commercial firewalls that monitor FTP control connections and spoof the port number for the data sockets. SLiRP does it; so, apparently, does the pppd that comes with FreeBSD. But I can't find any documented way to do it with ipfw and natd. > > Are there undocumented commands to accomplish this? Using the hooks I added to libalias to accomplish this. That would, however, require some small mods to the natd code (about 20-50 lines, I guess). These punch fully specified holes for active FTP and IRC DCC connections, using a range of IPFW rule number designated by the caller. "Fully specified" in this context means with specified source address, destination address, source port and destination port. These time out the same way as usual, and should not pose any risk. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the messagehelp
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990920162742.A12619>